Microsoft, Too, Says FBI Secretly Surveilling Its Customers

A breakdown of the number of National Security Letters the FBI has issued to Microsoft targeted accounts (“identifiers”) for user data. Source: Microsoft

Microsoft said the Federal Bureau of Investigation is secretly spying on its customers with so-called National Security Letters that don’t require a judge’s approval, a revelation Thursday that mirrors one Google announced two weeks ago.

Redmond, Washington-based Microsoft announced that the type of accounts the feds are targeting with National Security Letters, warrants or court orders include Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger and Office 365.

The announcements by the two tech giants mark the first time U.S. companies have divulged they were secretly responding to National Security Letters and coughing up user data to the bureau without probable-cause warrants. And the Microsoft announcement comes six days after a federal judge declared National Security Letters unconstitutional and gave the President Barack Obama administration 90 days to appeal the ruling.

The NSLs, which have been issued nationwide hundreds of thousands of times, are written demands from the FBI that compel internet service providers, credit companies, financial institutions and businesses like Google and Microsoft to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited and more as long as the FBI says the information is “relevant” to an investigation.

“Like others in the industry, we believe it is important for the public to have access to information about law enforcement access to customer data, particularly as customers are increasingly using technology to communicate and store private information,” Microsoft said.

Google, Microsoft and other entities that receive NSLs are gagged from disclosing them publicly or to the targets. But, “pursuant to approval from the government,” Microsoft released a numerical “range” of the number of NSLs it has received dating to 2009.

Two weeks ago, when Google released its numbers, it said it only publicized a range “to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations.”

The ranges each company published are similar, but not identical.

For 2012, which is the latest data available, Microsoft said it received 0-999 National Security Letters involving between 1,000 to 1,999 accounts. In 2011, Microsoft said it received 1,000-1,999 of them for 3,000-3,999 accounts.

For 2010, the company reported 1,000-1,999 requests targeting 5,000-5,999 accounts. In 2009, there were 0-999 National Security Letters targeting 2,000-2,999 accounts.

Google, on the other hand, reported receiving 0-999 National Security Letters for years 2009-2012 affecting 1,000-1,999 accounts for all years but 2010. That year, National Security Letters targeted 2,000-2,999 accounts.

Neither Google nor Microsoft numerically broke down which of their services were targeted with NSLs.

In 2011, the year with the latest available figures, the FBI issued 16,511 National Security Letters pertaining to 7,201 different persons. (.pdf)

You’re not alone if it seems strange the two companies are reporting numerical ranges.

U.S. District Judge Susan Illston of San Francisco declared the letters unconstitutional on Friday because of the harsh gag rules associated with them. Illston said the NSL nondisclosure provisions “significantly infringe on speech regarding controversial government powers” which thwarts “the public debate” about them.

Under the Patriot Act, a NSL may compel Microsoft to divulge “the name, address, length of service, and local and long distance toll billing records” of our users if it is “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.” An FBI agent can self-issue an NSL to credit bureaus, ISPs, phone companies or any business with only the sign-off of the special agent in charge of their field office.

A Justice Department Inspector General audit found in 2007 that the FBI had indeed abused its authority and misused NSLs on many occasions. After 9/11, for example, the FBI paid multimillion-dollar contracts to AT&T and Verizon requiring the companies to station employees inside the FBI and to give these employees access to the telecom databases so they could immediately service FBI requests for telephone records.

The IG found that the employees let FBI agents illegally look at customer records without paperwork and even wrote NSLs for the FBI.

David Kravets is a senior staff writer for Wired.com and founder of the fake news site TheYellowDailyNews.com. He's a dad of two boys and has been a reporter since the manual typewriter days.